Totolink A7100RU Pre-auth OS Command Injection in cstecgi.cgi

Vulnerability Key Information Summary 1. Vulnerability Overview This vulnerability is a pre-authentication OS command injection flaw found in the web management interface of the Totolink A7100RU router. Vulnerability Mechanism: In the function of the interface, the CGI processor directly retrieves user-controlled input from the HTTP parameter and embeds it directly into a shell command string, which is then executed via . No escaping or sanitization is performed on the input. Impact: A remote attacker can inject arbitrary shell commands into this interface without any authentication, executing them with root privileges. This leads to the complete compromise of the router device and may allow for further compromise of the connected network. 2. Scope of Impact Device Model: Totolink A7100RU Affected Firmware Version: 7.4cu.2313_b20191024 Affected Component: function within the web management interface ( ). 3. Remediation The provided screenshot does not contain an official patch. Based on the description, the remediation should focus on the function to ensure strict validation, escaping, or sanitization of the user-supplied parameter to prevent command injection. 4. PoC / Exploit Code While the screenshot does not directly display code blocks, it provides a link to obtain the Proof of Concept (PoC): Source (GitHub): VulDB Entry**:

Goal Reached Thanks to every supporter — we hit 100%!

Totolink A7100RU Pre-auth OS Command Injection in cstecgi.cgi